Icon (ICLR) Risk Analysis

The FCPA, UK Bribery Act and similar anti-corruption laws in other jurisdictions prohibit us and our officers, directors, employees and third parties acting on our behalf, including agents, from corruptly offering, promising, authorizing, or providing anything of value to a "foreign official" for the purposes of influencing official decisions or obtaining or retaining business or otherwise obtaining favorable treatment. In addition, the FCPA imposes certain books, records and accounting control obligations on public companies and other issuers. The UK Bribery Act also prohibits "commercial" bribery and accepting bribes. Our global business operations also must be conducted in compliance with applicable export controls and economic sanctions laws and regulations, including those administered by the U.S. Department of the Treasury's (the "U.S. Treasury") Office of Foreign Assets Control, the U.S. Department of State, the U.S. Department of Commerce, the United Nations Security Council, the European Union, His Majesty's Treasury and other relevant trade compliance authorities. Our internal policies mandate compliance with these anti-corruption and trade compliance laws and regulations. We also operate in many jurisdictions in which bribery or corruption can be common and compliance with anti-bribery laws may conflict with local customs and practices. Despite our training and compliance program safeguards, we cannot assure that our internal control policies, procedures and safeguards will protect us from acts in violation of anti-corruption and trade compliance laws and regulations committed by employees or other third parties associated with us and our continued expansion, including in developing countries, could increase such risk in the future. Violations of anti-corruption, economic sanctions and trade control laws and regulations, or even allegations of such violations, could disrupt our business and result in a material adverse effect on our financial condition, results of operations, cash flows and reputation. For example, violations of anti-corruption and trade compliance laws can result in restatements of, or irregularities in, our financial statements, disgorgement of profits, related stockholder lawsuits as well as severe criminal or civil sanctions. In some cases, companies that violate anti-corruption and trade compliance laws might be debarred by the U.S. government and/or lose their U.S. export privileges. In addition, the U.S. government or other governments may seek to hold us liable based on successor liability for violations of anti-corruption and trade compliance laws committed by companies that we acquire or in which we invest. Changes in anti-corruption and trade compliance laws or enforcement priorities could also result in increased compliance requirements and related costs which could materially adversely affect our business, financial condition, results of operations and cash flows. The increase in economic sanctions and trade controls, particularly relating to our ongoing operations in Russia, Ukraine and Belarus, has increased the amount of resources necessary to ensure compliance in this area.

We act as authorized representative pursuant to Medical Devices Regulation 2017/745 ("MDR") for certain clients who are located outside of the European Union. As authorized representative, we act on behalf of medical device manufacturers in relation to specified tasks with regard to their obligations under MDR. We also act as legal representative pursuant to European Clinical Trials Directive (2021/20/EC) ("CTD"), EU Clinical Trials Regulation (No.536/2014) ("CTR") and MDR for certain clients who are located outside of the European Union with respect to clinical trials being carried out by those clients in the European Union. We also perform similar legal representative services for certain clients in other non-EU jurisdictions, where the client is located outside the relevant local jurisdiction, ICON has an established local legal entity in that jurisdiction and analogous local regulations have a similar requirement for a local legal representative for clinical trials being carried out in those jurisdictions. As legal representative, we are responsible for ensuring compliance with the client's obligations pursuant to CTD, CTR and MDR or analogous local legislation and we are the addressee for all communications with the client provided for under CTD, CTR and MDR or analogous local legislation. We provide these services subject to certain terms and conditions which are contained in our agreements with clients pertaining to these services. We aim to reduce any potential liability associated with these activities by seeking contractual indemnification from our clients and by maintaining an appropriate level of insurance cover. However, there is no guarantee that the specific insurance will be available or that a client will fulfill its obligations in relation to their indemnity.

ICON has a strong privacy posture, driven by the implementation of a core privacy governance strategy and the adoption of policies and procedures designed to help ensure that ICON, including our employees and contractors, can comply with applicable data protection laws (including, but not limited to, the General Data Protection Regulation ("GDPR") (EU) 2016/679). Notwithstanding these measures, failure to comply with applicable data protection laws may occur and could result in increased risk of liability or increased costs to us or could limit our service offerings. Administrative fines: The GDPR introduced a regime of administrative fines for data protection infringements and provided for a tiered penalty structure based on the nature of the infringement. The EU supervisory authorities for the GDPR can directly impose fines on organizations found to be in breach of the GDPR. Lower tier administrative fines allow for fines of up to 2% of worldwide turnover of the group in the preceding financial year. Higher tier administrative fines allow for fines of up to 4% of worldwide turnover of the group in the preceding financial year. Higher tier administrative fines are more likely to be levied for major infringements of the GDPR and core data protection principles (e.g. transparency, data retention, accountability). Penalties: The GDPR also permits Member States to implement rules on other penalties applicable to infringements of the GDPR, in particular, for infringements which are not subject to administrative fines under the GDPR itself. Therefore, Member States may legislate for further fines or penalties that may be criminal in nature. Any fines levied under the GDPR must be effective, proportionate, and dissuasive. Supervisory authorities have been strengthening enforcement activities across the EU in recent years in respect of breaches of GDPR. The risk of fines and penalties under the GDPR carries increased risk of liability to ICON and can result in increased costs and disruption to the delivery of our services. Right to compensation of data subjects: In addition to the risk of administrative and criminal penalties, the GDPR also provides that any person who has suffered material or non-material damage as a result of an infringement of the GDPR shall have the right to receive compensation for the damage suffered, from the controller or processor responsible for the infringement. The level of award of damages is set by the competent court in the applicable EU Member State. This carries increased risk of liability for ICON. Corrective Powers of the supervisory authorities: Each supervisory authority across the Member States of the EU also has corrective powers. Supervisory authorities have the power to order ICON to bring processing operations into compliance with the provisions of the GDPR in a specified manner within a specified time period, or to impose a temporary or definitive limitation including a ban on processing, and to order the suspension of data flows to a recipient in a third country or to an international organization. Supervisory authorities also have powers to conduct audits and investigations of ICON and instruct ICON to take certain actions. The exercise of these powers by supervisory authorities has the potential to increase costs for ICON and cause disruption to the business and delivery of our services. The foundational principles of the GDPR have helped shape the development of many other privacy laws globally. Internationally, data protection laws continue to be introduced at a rapid rate, with greater protections afforded to personal data than ever before, and greater risk of liability to organizations processing that personal data. As a global organization, ICON must ensure that our privacy posture continues to adapt to these new laws and regulations. From a US perspective, the confidentiality, collection, use and disclosure of personal data, including clinical trial patient-specific information, is regulated at the federal and state level. The Federal Trade Commission, or FTC, is an independent U.S. law enforcement agency charged with protecting consumers and enhancing competition across broad sectors of the economy. The FTC's authority with respect to data privacy and security comes from Section 5 of the FTC Act. The FTC uses its broad grant of authority to regulate data privacy and security, using including, but not limited to, requiring the implementation of comprehensive privacy and security programs, biennial assessments by independent experts, monetary redress to consumers, and provision of robust notice and choice mechanisms to consumers. Similar laws exist at the state level, which are used by state attorneys general to enforce against privacy and security-related acts or practices deemed to be unfair or deceptive. More than 15 US states have adopted a comprehensive consumer privacy law or a consumer health data privacy law that regulates how certain businesses collect, use, and disclose the personal information of consumers residing in the state. In general, these laws provide for certain consumer privacy rights and impose transparency standards for business data collection and processing practices. These laws have broad exemptions for personal information that constitutes protected health information under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and de-identified health data as defined under HIPAA. As a result, we do not expect to have compliance obligations under these laws with respect to most patient information we collect and process. However, we are required to comply with these consumer privacy laws insofar as we collect other categories of consumers' personal information, which could include, for example, information about website visitors. These state consumer privacy laws are generally enforced by the respective state Attorney General. California's law also includes a private right of action for certain data breaches. Dozens of other states are currently considering similar consumer privacy laws, which could impact our operations if enacted. The US federal administrative simplification regulations under HIPAA require individuals' written authorization, in addition to any required informed consent, before protected health information may be used for research (unless an institutional review board has waived the authorization requirement or another exception applies). We are directly regulated by HIPAA as a "business associate" because we obtain individually identifiable health information from "covered entity" third parties that are subject to such regulations. We can be directly liable to the covered entity contractually for mishandling protected health information and, under HIPAA's enforcement scheme, we can be subject to up to approximately $2.1 million per year in civil money penalties for multiple violations of the same HIPAA requirement in 2024. The per violation penalties and calendar year cap on penalties are adjusted annually for inflation under the Federal Civil Penalties Inflation Adjustment Act. Additional legislation or regulation of this type might, among other things, require us to implement new security measures and processes which may require substantial expenditures or limit our ability to offer some of our services. Additionally, if we violate applicable laws, regulations or duties relating to the use, processing or security of personal data, we could be subject to civil liability or criminal prosecution, be forced to alter our business practices or suffer reputational harm.

Certain pharmaceutical companies have begun to collaborate in seeking to develop new drug candidates. Increased collaboration amongst pharmaceutical companies may lead to fewer research opportunities, which in turn may lead to fewer outsource opportunities for companies within the CRO industry. A reduction in outsource opportunities as a result of this increased collaboration could have a material adverse impact on our results of operations.

The biopharmaceutical industry has a history of intellectual property litigation, and these lawsuits will likely continue in the future. Accordingly, we may face patent infringement legal proceedings by companies that have patents for similar business processes or other legal proceedings alleging infringement of their intellectual property rights. Legal proceedings relating to intellectual property could be expensive, take significant time and divert management's attention from other business concerns, regardless of the outcome of the litigation. If we do not prevail in an infringement lawsuit brought against us, we might have to pay damages and we could be required to stop the infringing activity or obtain a license to use technology on unfavorable terms. Any infringement or other legal processing related to intellectual property could have a material adverse effect on our operations and financial condition.

We develop and maintain computer run and web based interactive response technologies to automatically manage the randomization of patients in trials, assign the study drug and adjust the dosage when required for patients enrolled in trials we support. An error in the design, programming or validation of these systems could lead to inappropriate assignment or dosing of patients, which could give rise to patient safety issues and invalidation of the trial and/or liability claims against the Company, amongst other things, any of which could have a material effect on our financial condition and operations.

While no customers individually contributed more than 10% of our revenues during the years ended December 31, 2024 and December 31, 2023, our top five customers represented 25.0% and 26.8% of our revenues respectively, our largest customer represented 7.7% and 8.9% of our revenues, respectively, and our top twenty five customers represented 62.2% and 62.9% of our revenues, respectively. The loss of, or a significant decrease in, business from one or more of these key customers, or an inability to pay outstanding invoices due to us, could have a material adverse impact on our results of operations and financial results.

The biopharmaceutical industry is highly competitive, with biopharmaceutical companies each seeking to persuade payers, providers and patients that their drug therapies are better and more cost-effective than competing therapies marketed or being developed by competing companies. In addition to the adverse competitive interests that biopharmaceutical companies have with each other, biopharmaceutical companies also have adverse interests with respect to drug selection and reimbursement with other participants in the healthcare industry, including payers and providers. Biopharmaceutical companies also compete to be first to market with new drug therapies. We regularly provide services to biopharmaceutical companies who compete with each other and we sometimes provide services to such customers regarding competing drugs in development. Our existing or future relationships with our biopharmaceutical customers may therefore deter other biopharmaceutical customers from using our services or may result in our customers seeking to place limits on our ability to serve other biopharmaceutical industry participants. In addition, our further expansion into the broader healthcare market may adversely impact our relationships with biopharmaceutical customers and such customers may elect not to use our services, reduce the scope of services that we provide to them or seek to place restrictions on our ability to serve customers in the broader healthcare market with interests that are adverse to theirs. Any loss of customers or reductions in the level of revenues from a customer could have a material adverse effect on our results of operations, business and prospects.

ICON is an award-winning workplace that enables employees to make a difference to patients' lives by being part of a world-class contract research organization that helps deliver new medicines & medical devices that are benefiting patients worldwide. The attraction, development and retention of our talent is critical to the success of the Company, and we continue to strengthen processes around these areas to minimize retention risk. The Company, led by the Chief Human Resource Officer, is taking meaningful action to retain employees. Through our annual Talent Review process, we have identified opportunities for improvement as it relates to employee retention. Our People Plans have set specific goals for each functional area in terms of three critical areas: talent attraction, development and retention. However, we can provide no assurances that our efforts in this respect will be successful.

Our services are derived from, or include, the use of data we collect from third parties. We have several data suppliers that provide us with a broad scope of information that we collect, use in our business and sell. We generally enter into long-term contractual arrangements with many of our data suppliers. At the time we enter into a new data supply contract or renew an existing contract, suppliers may increase our cost to obtain and use the data provided by such supplier, increase restrictions on our ability to use or sell such data, or altogether refuse to license the data to us. Also, our data suppliers may fail to meet or adhere to our quality control standards or fail to deliver the data to us. Although no single supplier is material to our business, if suppliers that collectively provide a significant amount of the data we receive or use were to increase our costs to obtain or use such data, further restrict our access to or use of such data, fail to meet or adhere to our quality control standards, refuse to provide or fail to deliver data to us, our ability to provide data-dependent services to our clients may be adversely impacted, which could have a material adverse effect on our business, results of operations, financial condition or cash flow.

Numerous governments, including the U.S. government, have undertaken efforts to control growing healthcare costs through legislation, regulation and voluntary agreements with medical care providers and drug companies. If these efforts are successful, pharmaceutical, biotechnology and medical device companies may react by spending less on research and development and therefore this could have a material adverse effect on our business. In addition to healthcare reform proposals, the expansion of managed care organizations in the health care market may result in reduced spending on research and development. Managed care organizations' efforts to cut costs by limiting expenditures on pharmaceuticals and medical devices could result in pharmaceutical, biotechnology and medical device companies spending less on research and development. If this were to occur, we would have fewer business opportunities and our revenues could decrease, possibly materially.

In recent years, extreme weather events and changing weather patterns such as storms, flooding, droughts and temperature changes have become more common. As a result, we are potentially exposed to varying natural disaster or extreme weather risks such as hurricanes, tornadoes, droughts, floods, wildfires or other events that may result from the impact of climate change on the environment. As a result, we could experience increased costs, business interruptions, destruction of facilities, and loss of life, all of which could have a material adverse effect on our business, financial condition, or results of operations. The potential impacts of climate change may also include increased operating costs associated with additional regulatory requirements and investments in reducing energy, water use and greenhouse gas emissions.